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Abstract 

In this paper, we study the arithmetics of skew polynomial rings over finite fields, 
mostly from an algorithmic point of view. We give various algorithms for fast mul- 
tiplication, division and extended Euclidean division. We give a precise description 
of quotients of skew polynomial rings by a left principal ideal, using results relating 
skew polynomial rings to Azumaya algebras. We use this description to give a new 
factorization algorithm for skew polynomials, and to give other algorithms related to 
factorizations of skew polynomials, like counting the number of factorizations as a 
product of irreducibles. 
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Introduction 



The aim of this paper is to present several algorithms to deal efficiently with rings of skew 
polynomials over finite fields. These noncommutative rings have been widely studied, in- 
cluding from an algorithmic point of view, since they were first introduced by Ore in 1933. 
The main applications for the study of skew polynomials over finite fields are for error- 
correcting codes. The first significant results in terms of effective arithmetics in these rings, 
including an algorithm to factor a skew polynomial as a product of irreducibles, appear in 
Giesbrecht's paper [Gie98|. In this paper, we give a factorization algorithm whose com- 
plexity improves on Giesbrecht's. We also describe various fast-multiplication algorithms 
for skew polynomials, and some additional algorithms such as a factorization-counting al- 
gorithm, or an algorithm generating the uniform distribution on the factorizations of a 
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given skew polynomial. 

The first part of the article is mostly theoretical. Let k he a finite field of characteristic 
p, and let a be an automorphism of k. We denote by k'^ the subfield of k fixed by a, and 
by r the order of cr on A:. The ring u] of skew polynomials with coefficients in /c is a 
noncommutative ring, on which multiplication is determined hy X ■ a = cr{a) ■ X for all 
a & k. The first Theorem we shall prove is the following: 

Theorem (c/ Theorem ll.2.ip . The ring k[X,a][l/X] is an Azumaya algebra over its 
centre k''[X''][l/X'']. 

This Theorem has many important consequences for our purpose. The first one is 
the existence of a reduced norm map o"] — )• A;[X'"], which turns out to have very nice 
properties related to factorizations. For instance, we shall explain how it can be used to 
establish a close link between factorizations of a skew polynomial and basic linear algebra 
over finite extensions of k'^ . As an illustration, we will show how to use this theory to 
derive a formula giving the number of factorizations of any skew polynomial. 

The second part of the paper deals with algorithmic aspects of skew polynomials. 
We start by giving various fast-multiplication algorithms and, as usual, we derive from 
them efficient algorithms to compute Euclidean division and gcd. Then, we reach the 
core algorithm of this paper: the factorization algorithm. Making an intensive use of the 
theory developped in the first part, we obtain a very efficient algorithm to factor a skew 
polynomial as a product of irreducible skew polynomials, SkewFactorization. 

Theorem (c/ Theorem 12. 4. 2p . The algorithm SkewFactorization factors a skew polyno- 
mial of degree d in k[X,a] with complexity 

d{dr^ log q + dlog^ q + d^+^(log + F{d, k")) 

hit operations, for all e > 0. Here, F{d, K) denotes the complexity of the factorization of 
a (commutative) polynomial of degree d over the finite field K. 

In |KU08| , Kedlaya and Umans described a factorization algorithm of polynomials over 
finite fiels whose complexity is: 

F{d,K) = (^3/2+0(1) ^ ^l+o(l) i^g^) . (logg)l+o(l) 

bit operations, where q is the cardinality of K. Assuming this value for F{d,K), we 
see that the terms dlog^ q and d^^^ {log q)^^"^^^ are negligible compared to F{d,K). If 
furthermore <C d, also is the term dr^ log q. With this extra assumption, the complexity 
of our algorithm is then comparable to the complexity of the factorization of a commutative 
polynomial of the same degree. 

The complexity of our algorithm should be compared to the complexity of Giesbrecht's 
algorithm, which is: 

d{d^r'^ log q + d^r'^ \ogq + d- MM{dr) log q + d^r ■ log^ q) 

bit operation^ where MM(n) is the complexity of the multiplication of two n x n matrices. 

^In Giesbrecht's paper, the complexity is given in number of operations in k'^ . Since any operation 
in fe"^ requires O(logg) bit operations (using fast algorithms), the complexity we have given is just from 
Giesbrecht's one by multiplying by O(logg). 
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The strategy of our algorithm is roughly comparable to the one of Giesbrecht's: in order 
to factor P, we find a multiple N of P lying in the centre of k[X, a] , we factor N in the centre 
(which is a commutative polynomial ring) and we recover a factorization of P from the 
factorization of we have just computed. The two main improvments are the following. 
Firstable, we obtain better algorithms to achieve basic operations (like multiplication, 
Euclidean division and gcd's). Using them to factor a polynomial improves significantly 
the complexity. The second improvement (which is the most important) consists in taking 
a large benefit of the closed study of all involved objects we have done in the first part. For 
instance, in order to obtain the central multiple N, we just compute the reduced norm, for 
which efficient algorithms exist. In the same way, our theoretical results imply that, for 
some particular P, the quotient k[X,a]/k[X,a]P is endowed with a rich structure and we 
use it to replace computations with large matrices over k'^ by computations with matrices 
of size at most r defined over a bigger field. Since usual arithmetics in field extensions is 
more efficient than computations with matrices (quasilinear VS subcubic), we gain a lot. 

Eventually, we give an algorithm to compute the number of factorizations of a skew 
polynomial and we describe an algorithm to generate the uniform distribution on the 
factorizations of a skew polynomial. 

All the algorithms described here have been implemented in SAGE, and some of them 
in MAGMA. We discuss briefly about the implementation. 

This work was supported by the Agence Nationale de la Recherche, CETHop project, 
number ANR-09-JCJC-0048-01. 

1 The ring A;[X,cr] 

1.1 Some facts about A;[X, a] 

Let k he a finite field of characteristic p and let a be an automorphism of k. We denote 
by k'^ the subfield of k fixed by a. Let r be the order of fi: r is also the degree of the 
extension k/k^ . We denote by o"] the ring of skew polynomials with coefficients in k. 
The underlying group is just k[X], and the multiplication is determined by the rule 

Va € k, Xa = cT[a)X. 

We recall some notions from | Jac96| . Chapter 1 (mainly §1.1 and 1.2). The centre of k{X, a\ 
is The ring c] is endowed with left- and right-euclidean division algorithms. 

Hence, there are also notions of right- and left-greatest common divisor, and left- and 
right-lowest common multiple (denoted respectively by rgcd, Igcd, 11cm, rlcm). Of course, 
every element of A;[X, cr] can be written as a product of irreducible elements of cr]. 
However, a such factorization is not unique in general. The first result that describes how 
two factorizations of a skew polynomial as a product of irreducibles are related is due to 
Ore. Before stating it, let us give a definition: 

Definition 1.1.1. Let P,Q £ k[X, a] be two skew polynomials. Then P and Q are similar 
if there exist U,V e k[X, a] such that rgcd(P, V) = 1, llcm(g, U) = 1 and UP = QV. 

Even though it may not be clear at first glance, this is an equivalence relation. Remark 
that in the case a = id, this just means that P and Q are equal up to multiplication by 
an element of /c^. We then have the following theorem: 
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Theorem (Ore, |Ore33| ). Let Pi, . . . , P„ and Qi, . . . , be irreducible skew polynomials. 
If Pi ■ ■ ■ Pn = Qi ■ ■ ■ Qm, then m = n and there exists a permutation r of {1, . . . ,n} such 
that for all 1 < i < n, Pi is similar to Qr[i) ■ 

However, the converse of this theorem is false. In general, if the Pi and Qi are pairwise 
similar, Yl Pi ^-nd Y[ Qi a^re not even similar. 

An interesting point of view on skew polynomials is that of ip-modules that we shall elab- 
orate on later. For now, it is enough to say that a (/9-module over /c is a ^[X, o"] -module 
of finite type. If P € a] is nonzero, a typical example of a (^-module over k is 
k[X,a\/k[X,a]P ^ which is "the (/^-module associated to P". Then, two skew polynomials 
are similar if and only if the associated (/^-modules are isomorphic, and Ore's theorem is 
just a restatement of the Jordan-Holder Theorem in the category of (/9-modules. 

1.2 The ring A;[X, cr][l/X] is an Azumaya algebra 

The aim of this section is to prove the Theorem 11.2.11 and to give several consequences. 
Let us now recall the statement of the Theorem: 

Theorem 1.2.1. The ring k[X,a][l/X] is an Azumaya algebra over k"'[X'^][l/X^]. 

Proof Let us denote by 7^ the ring k[X,a][l/X] and by C its centre k'^[X'''][l/X''']. By 
definition, it is enough to show that for every prime ideal *P of C, TZ/^ Frac(C/^) is 
a central simple algebra over Frac(C/^). The case *P = (0) is exactly |Jac96| . Theorem 
1.4.6. The other prime ideals of C are of the form (A^) with N € k'^lX^] monic irreducible 
and different from A*". Fix such an irreducible polynomial N. Denote by E the field of 
fractions of C/{N). Let us first show that TZn = TZ ®c E is simple. Let / C IZn be a 
two-sided ideal. Assume that I ^ (0), and let x € TZn be a nonzero element of /. First 
remark that every element ofTZ^ can be written as P® 1. Indeed, if t is the class of X^ is 
E = C/{N), then l®t = A''(g)l. Therefore, we can write x = P0l with P G A;[A, C7]/(A^). 
Now assume that x and P are chosen such that the number of nonzero coefficients of P 
is minimal (with x G / \ {0}). We can assume that P is monic of degree d. We have 
P — XPX~^ G /, and this polynomial has less nonzero coefficients than P, so that it is 
zero. Similarly, if a € /c^, P — a'^{a)^^ Pa = 0. This shows that x is central. Since the 
centre of 7^ at is a commutative finite integral E'-algebra, it is a field, so x is invertible and 

It remains to prove that this centre is exactly E. We just need to solve the equations 

X ES"^'' = Etr^"' and a Etr^"' = Etr^"' for a a 

generator of k/k^. It is easy to see that the solutions are exactly (the reduction modulo 
A^ of) elements of /c'^[A'"], so that the centre of TZj\f is E. □ 

This result has various corollaries that are interesting for questions about factoring 
skew polynomials. 

Corollary 1.2.2. Let N € A;'^[A''] be a nonzero polynomial that is not a power of X. Then 
C/NC and IZ/NIZ are Morita-equivalent. 

Proof. Since TZ is an Azumaya algebra over C, TZ/NTZ is an Azumaya algebra over C/NC. 
Since C/NC is a finite commutative ring, its Brauer group is trivial, hence TZ/NTZ and 
C/NC represent the same class in this Brauer group. □ 
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Corollary 1.2.3. Let N € A;'^[X''] be an irreducible polynomial different from X. Let Ejsi 
be the quotient field C / (N) . Then 

n/NTZc^ Mr{EN), 
the ring of r x r matrices with coefficients in E^. 

Proof. By corollary 11.2.21 IZ/NTZ is a ring of matrices with coefficients in E^^. The result 
follows from the fact that IZ/NIZ has dimension deg over k'^ . □ 

One of the usual objects associated to Azumaya algebras is the notion of reduced norm. 
This notion will be very important in the rest of the paper. In our situation, it is a 
multiplicative morphism M : A:[X, a] [X'^]\l / X^] which can be defined as 
follows. Consider the largest etale subalgebra of k[X, a][l/ X], which is Then, 
J\f{x) is nothing but the determinant of the right-multiplication by P on A;[X, (t][1/X] 
considered as a /i;[X''][l/X'']-module. Using that A;[X, c] is a free module of rank r over 
(with basis (1, X, ... , X^~^) for example), we deduce directly that Af maps k[X, a] to 
k°'[X'^']. We furthermore note that, if P is the central skew polynomial {i.e. P G 
the (right-) multiplication by P acts on a k[X, a] by (left-)multiplication by P and therefore 
has determinant P'' . Therefore AA(-P) = P^ provided that P G k°'[X^']. 

Remark 1.2.4. The property of being an Azymaya algebra could certainly be generalized 
to some other skew polynomal rings, for instance k[X, d] where df = f' + fd. For Azumaya 
algebras over rings whose Brauer group is trivial, many results of this paper should remain 
true. Since the triviality of the Brauer group is used strongly, there would probably be 
variations in the expected theorems when the Brauer group is nontrivial. 

1.3 Reinterpretation in terms of Galois representations 

In this section, we give a reinterpretation of the Morita equivalence in terms of Galois 
representations, recovering a variation of a theorem of Katz. Let us first give one definition. 

Definition 1.3.1. A ip-module over A; is a finite dimensional /c-vector space D endowed 
with an endomorphism ip : D ^ D that is semilinear with respect to a, i.e. for all x E D 
and a (z k, ip{\x) = cr(X)ip(x). A (^-module is said to be etale if the map if is injective. 

By definition, a 99-module (resp. an etale (/3-module) over k is exactly a left-A;[X, cr]- 
module having finite dimension over k. 

Definition 1.3.2. If P € k[X,a], the (/^-module Dp associated to P is k[X,a]/k[X,a]P, 
endowed with the semilinear map if given by left-multiplication by X. We say that P is 
etale if Dp is etale. (It exactly means that the constant coefficient of P is nonzero.) 

Remark 1.3.3. Two skew polynomials P and Q are similar if and only if Dp ~ Dq. 

The Morita equivalence shows the following: 

Corollary 1.3.4. The category of etale ip-modules over k is equivalent to the category of 
finite dimensional k"' -vector spaces endowed with an invertible endomorphism. 

Proof. Let D be an etale (/9-module over k. Since D has finite dimension over k, it is 
annihilated by some ideal {N) of C. By 11.2.2] the categories of left-7^/A^7^-modules and 
C/A^C-modules are equivalent and we are done. □ 
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This corollary can also be seen as a variation of the following theorem: 

Theorem (Katz). Let K be a field of characteristic p > endowed with a power of the 
Frohenius endomorphism a. Then the category of etale ip-modules over K is equivalent to 
the category of K'^ -representations of the absolute Galois group of K . 

Indeed, if cr(a) = o^'', let K = k¥ps. Then K'^ = k'^ , and the absolute Galois group 
of -ftT is a procyclic group, so that a representation of this group is just the data of an 
invertible endomorphism of a /c'^-vector space of finite dimension (giving the action of a 
generator of the group). The functor giving this equivalence is explicit: the representation 
corresponding to an etale (/9-module D over k is Kouiip^D, K^^^). 

Proposition 1.3.5. Let {D,ip) be a ip-module over k, and let a'' be the generator of 
the absolute Galois group of k¥ps. Then the action of a^' on the k" -representation V 
corresponding to D is isomorphic to ip^ : 

{V k,(j(^l)^ iD,ip'''). 

Proof. It is enough to prove the result when 99*" is cyclic. Let f &V = Hom(^(i5, i^'^^P). 
Then for x E Z?, a^f{x) = f{(p'^{x)). This shows that the polynomials annihilating and 
if^' are the same. The characteristic and minimal polynomials of a'^ are the same, and equal 
to the characteristic polynomial of y?*", so these two endomorphisms are conjugate. □ 

Using the fact that two skew polynomials are similar if and only if the corresponding 
modules are isomorphic, we immediately get: 

Corollary 1.3.6. Let P,Q k[X,a]. The skew polynomials P and Q are similar if and 
only if the k°'[X''"]-modules {Dp,(p''^') and {DQ,ip^) are isomorphic. 

Since is a A;-linear map, testing if these A;°^[X''] are isomorphic is completely straight- 
forward. 

1.4 Factorizations 

In this section, we study some properties related to factorizations of skew polynomials 
and the structure of the corresponding (/9-modules. First recall that if P is a monic etale 
skew polynomial, there is a bijection between all factorizations of P as a product of monic 
irreducible skew polynomials, one the one hand, and all Jordan-Holder sequence of the 
corresponding (/3-module, on the other hand. By theorem ll.3.5| these factorizations are 
also in bijection with Jordan-Holder sequence of Dp (viewed as a /c'^[X'']-module). We 
shall see how we can use this to count the number of factorizations of P. 

1.4.1 Another definition of the norm 

Recall that we have defined the (reduced) norm of a skew polynomial P G A;[X, cr] as the 
determinant of the right-multiplication by P acting on the /c[X'"]-module A;[X, o"]. Propo- 
sition [T3]5] allows us to give an equivalent definition: 

Lemma 1.4.1. Let P € A;[X, a] be monic and let (Dp,ip) be the corresponding f -module. 
Then the norm A/'(P) is the characteristic polynomial of ip"^ . If P = aP with P monic, 
then M{P) = Nk/k-{a) • AA(P)- 
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Proof. Let mp be the right-multiplication by P acting on k[X, a]. Since both P i-^ A/'(P) = 
det mp and P i— )■ Xifi^" a-re multiplicative, it is enough to prove the Lemma when P is monic 
irreducible. Let it : k[X,a] — )■ Dp be the canonical projection. We have vr o mp = 0. 
Since vr is surjective, the multiplication by det mp is also zero in Dp. This means that the 
minimal polynomial of the multiplication by X^' on Dp is a divisor of det mp. Since P is 
irreducible, this minimal polynomial is the characteristic polynomial x of 99^. It is then 
enough to show (1) that the degree of M{P) is the same as the degree of x (2) that 
M{P) is monic. Write P = Pq + XPi + • • ■ + X''-^Pr-i with the Pi's in k[X'']. In the basis 
(1, X, ... , X^^^), the matrix of mp is: 



Pi ^{Po) 



X^a'-^Pi) \ 



r-l 



XV^-^(P,._i 



Let 0<i<r — Ibe the greatest integer such that the degree of Pj is maximal, and denote 
by 5 this degree. In the sum giving the determinant of this matrix, we have the term 



PiaiPi)---a'-'-'{Pi)X'a^-\P,) 



a'-HPi 



whose degree is 5{r — i) + {5 = 5r + i (as a polynomial in X*"). All the other terms of 
the determinant have degree less than this, so M{P) = det mp has degree 5r + i = degP = 
degx and is monic. □ 

Proposition 1.4.2. Let M he the reduced norm map on k[X,a]. Then the following 
properties hold: 

• VP G k[X,a], P is a right- and left-divisor of J\f{P) in k[X,a], 

• VP G k[X,a], P is irreducible if and only if M{P) is irreducible in k'^[X^], 

• If P,Q E A;[X, (j] and P is irreducible, then P and Q are similar if and only if 
Af{P) = J\f{Q) (up to multiplicative constant). 



Proof. The first fact is well-known (see for instance |Jac96| . Proposition 1.7.1). It can be 
seen easily from the fact that if (Dp, (^) is the (/j- module associated to P, then A/'(P)((/3) = 0. 
Indeed, the left-ideal {R € k[X,a] \ R{ip) = 0} is exactly k[X,a]P. 

For the second assertion, remark that P is irreducible if and only if Dp is simple, which 
holds if and only if the corresponding representation is irreducible. This is true if and only 
if the characteristic polynomial of ip^ is irreducible in 

Finally, we have already seen that the similarity class of a skew polynomial is determined 
by the conjugacy class of the action of ip'^ on the corresponding 99- module (corollarv ll.3.6p . 
For irreducible elements, this is completely determined by the characteristic polynomial of 
(f^, i.e. the reduced norm. □ 

Since P is a divisor of J\f{P), we can expect that if N is some irreducible factor of A/'(P) 
in A:'^[X''], then rgcd(A^, P) would be a nonconstant right-divisor of P. This is actually 
always true and formalized by the following lemma: 
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Lemma 1.4.3. Let P G k[X, a] be etale and monic. Let N = M{P). If N = Ni ■ ■ ■ Nm 
with all Ni 's irreducible. Then there exist Pi, ... , P^ G k [X, a] such that P = Pi ■ ■ ■ P^ 
and for all 1 < i < m, N{Pi) = N^. 

Moreover, Pm can be chosen as an irreducible right-divisor of rgcd{P, Nm) ■ 

Proof. By induction on m, it is enough to prove the last assertion. Let Vp be the Galois 
representation corresponding to the (/^-module Dp via Katz's equivalence of categories 
(c/ Theorem II. 3p . Using Proposition ll.3.5| we find that Vp has a subrepresentation 
which is isomorphic to the quotient k°'[X^]/Njn (where acts by multiplication by X^). 
Hence, there exists a surjective map Dp — )• Dp^ where Pm is some skew polynomial of 
reduced norm A^^- It implies that Pm is a right divisor P and then also a right divisor of 
rgcd(P, A'm). This concludes the proof. □ 

Remark 1.4.4. This result shows how to determine the similarity classes of irreducible 
skew polynomials appearing in a factorization of P. It also shows that any order is possible 
for the appearance of these similarity classes in a factorization of P. 

When N is an irreducible factor of Af{P), the right greatest common divisor rgcd(A^, P) 
is never constant, so if we want to factor P as a product of irreducible polynomials, we 
only need to know how to factor skew polynomials which are right-divisors of irreducible 
elements of the centre 



1.4.2 On the structure of Dp when P divides an irreducible central polynomial 

Let G A;°"[X'"] be a monic irreducible polynomial, and let E = k'^[X^']/{N). Let 
P G cr] be a right-divisor of N. The previous section has shown that factoring skew 
polynomials can be reduced to factoring skew polynomials of this form. In this theoretical 
section, we begin a close study of the structure of Dp. All the results we are going to prove 
will play a very important role in the next section when we will be interested in designed 
a fast algorithm for factorization of skew polynomials. 

We first remark that, since J\f{N) = N^ , the norm of P is A^"^ for some integer e G 
{l,...,r}. 

Lemma 1.4.5. The ip-module D^ is isomorphic to a direct sum of r copies of a simple 
ip-module. 

Proof. It follows directly from Corollary 11.2.21 □ 

The Lemma implies that if P is a right-divisor of A^ with A/'(P) = A^*^, then the 
module Dp = k[X,a]/k[X,a]P is isomorphic to a direct sum of e copies of a simple 
(/^-module. From this, we deduce that Find^(Dp) ~ A4e{E). 



Ring of endomorphisms From now on, we write A^ = PQ for some Q G A;[X, cr]. 
Note that it implies that QN = QPQ; therefore NQ = QPQ (since A'^ lies in the centre) 
and, simplifying by Q, we get A^ = QP. In other words P and Q commute. The following 
proposition compares the module Dp = k[X, a]/k[X, a]P and its ring of endomorphisms. 

Proposition 1.4.6. The map 



Dp 
R 



End<^(Z?p) 



rriQR 



Dp 

X 



Dp 
xQR 
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is a surjective additive group homomorphism. 



Note that since PQ = QP = N is central in k[X,a], the map above is well-defined. 
Indeed, we have to check that if x = x' (mod P) and R = R' (mod P) then xQR = x'QR' 
(mod P). Writing x' = x + SP and R' = R + TP, we have: 

x'QR' = xQR + SPQR+{xQT + SPQ)P 

= xQR + SNR = xQR + SRN = xQR + SRQP = xQR (mod P) 

which is exactly what we want. In order to prove the proposition, we will need the following 
lemma, that states that in the case P = N, that map is in fact an isomorphism. 

Lemma 1.4.7. Let N G k[X,a]. Then the map: 

Dn ^ End^(Z)Ar) 
R ^ rriR 



X H' xR 



is an isomorphism of rings. 



Proof. The fact that our map is a morphism of rings is straightforward. It is injective 
because R = m/j(l). For the surjectivity, we remark that if is a commutative polynomial 
of degree 6, Dn has dimension over k"^ and, on the other hand, that if E is the field 
k'^[X''']/{N), End^(L'Ar) is isomorphic to Air{E), so it also has dimension 5r^. □ 

Proof of Proposition \1.4-^ We have the exact sequence of (/j-modules: 

k[X,a]P/k[X,a]N ^ Dn Dp -^0, 



r 

P ' 



and Dq is isomorphic to k[X, a]P/k[X, a]N via the multiplication by P. Since Dn — D 
this sequence is split. Let s : Dp — > Dn be a section. We have Ps{l) = s{P) = (mod N), 
so there exists S G Dn such that Ps{l) = NS. Thus s(l) = QS. On the other hand, 
QS = s{l) = 1 (mod P). Hence there exists some V G k[X, a] such that 

QS + VP = l. 

It implies that Dp is isomorphic to k[X,a]QS/k[X,a]N via the multiplication by QS. 

Let u G End(^(Z)p), and let A = u{l) G Dp. For all x G o"], u{x) = xu{l) = xA. 
In other words, u is the mulitplication by A, i.e. u = rriA- We then want to show that rriA 
is of the form mqp for some R G Dp. Let u the endomorphism of k[X,a\QS/k[X,a]N 
deduced from u: we have u{QS) = AQS. 

Since Dn = k[X,a]QS/k[X,a]N © k[X , a]P / k[X , a]N (decomposition of 99- modules), 
we can extend u to Dn by setting 'u(P) = 0. By Lemma 11.4.71 there exists T G Dn such 
that for all x G Dn, u{x) = xT. In particular: 

PT = (mod N) 
QST = AQS (modA^) 

Since VPT + QST = T, we have QST = T (mod N). So, for x G Dn, we get u{xQS) = 
xQST = xQSAQS = {xQSA)QS. Hence, for x G Dp, u{x) = xQSA. Setting R = SA, 
we have u = rnqp. □ 
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Corollary 1.4.8. Let R be a random variable uniformly distributed on Dp. Then the right 
multiplication by QR, ruQR, is uniformly distributed on End^{Dp) ~ Aie{E). 

Proof. Since R i->- mgR is surjective, the probability that rnqji is equal to u E Endip{Dp) 
is proportional to the cardinality of the fiber above u. We conclude the proof by remarking 
that fe-linearity together with surjectivity implies that all fibers have the same cardinality. 

□ 



Some remarks about rgcd's and Hem's Let us present a rather elementary geometric 
point of view on rgcd's and llcm's in skew polynomial rings. If P € /c[X, cr] is a divisor of 
an irreducible commutative polynomial N of norm A'^'^, and Pi is a right-divisor of P of 
norm N^'^, then k[X,a]Pi/k[X,a]P C Dp is & sub-£'- vector space Fi of Dp of dimension 

e — ei. 

If P2 is another right-divisor of P of norm N^^, it defines a sub- -B- vector space F2 of 
dimension 6 — 62- 

The intersection and sum of these vector spaces have a description in terms of rgcd's 
and llcm's: 

Lemma 1.4.9. Let R = rgcd{Pi,P2) and let M = llcm{Pi,P2). Then: 

. Fi + F2 = k[X, a]R/k[X, a]P, 

• Pi n F2 = k[X, a]M/k[X, a]P. 

Proof. Left to the reader. □ 

Remark 1.4.10. We will mainly use this Lemma when Pi is irreducible. Then k[X, a]Pi/k[X, a]P 
is an hyperplane in Dp. If we take the image of this hyperplane under any automorphism 
of Dp, we get another hyperplane, and it is likely that the intersection of this hyper- 
plane with k[X , a]Pi / k[X , a]P has codimension 2 in Dp, and hence it is an hyperplane 
in k[X, a]Pi/k[X, a]P. We get this way an irreducible divisor of the quotient of the right 
division of P by Pi. 



1.4.3 Counting factorizations 

In this section, we explain how to compute the number of factorizations of a monic skew 
polynomial P € k[X,a] as a product of monic irreducible polynomials. 

Lemma 1.4.11. Let P € k[X,a] be a monic etale skew polynomial. Assume that J\f{P) = 
with N irreducible of degree d, and P is a right-divisor of N . Then the number of 
factorizations of P as a product of monic irreducible skew polynomials is the q*^ -factorial 

[e\qd. — (qd_i)e 

Proof. By induction on e, it is enough to prove that P has exactly ^d~f monic irreducible 
right-divisors. The number of monic irreducible right-divisors is also the number of simple 
sub-(^-modules of k[X,o]/k[X,a\P. Such submodules are in bijection with k'^[X'^]/{N)- 
lines in k[X,a\/k[X,a\P (if Pi is an irreducible right-divisor of P, every irreducible right- 
divisor of P can be written as the image of Pq by an endomorphism of k[X,a\/k[X,a\P), 
so it has the cardinality of the projective space P(P^), which is '^^dZi ■ ^ 
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Let us now define the type of a skew polynomial P. Recall first that the endomorphism 
ip^' of Dp defined over k"^ can be put into Jordan form, and that a Jordan block is by 
definition an invariant subspace in a basis of which the restriction of cp^ has a matrix of 
the form: 

[A I ••• 0\ 
OA I ■. \ 

: ••. •. •• / 

^0 a) 

with A having a characteristic polynomial that is irreducible in We will say that 

a Jordan block has size i if the number of matrices A that appear in this block is i. 

Definition 1.4.12. Let P G k[X,a]. Assume that Af{P) = N'^ for some integer e. For 
z > 1, let ej be the number of Jordan blocks of {Dp,(p'^) of size at least i. Let n be the 
largest index such that 7^ 0, we say that P has type (ei, . . . , e„). 

This means that if P has type (ei, . . . , e„), the action of a^' on the corresponding repre- 
sentation has exactly ei Jordan blocks, 62 of which contain a block of the form 
etc. 

Remark 1.4.13. The type is determined by the nonincreasing sequence (oi, . . . ,am), di 
being the size of the i-th largest Jordan block of {Dp, ip'^). The Young diagram associated 
to (ai, . . . , am) is dual to the one associated to (ei, . . . , e„). We will say that (ai, . . . , a^) 
is the dual sequence of (ei, . . . , e^)- We also say that (oi, . . . , a^) is the dual type of P. 

A skew polynomial P € k[X,a] has type (e) (with 1 < e < r) if and only if it is a 
divisor of an irreducible polynomial G k[X,a]. 

Definition 1.4.14. Let P G k[X,a] be a monic skew polynomial. Let N^^ ■ ■ ■ A'f* be the 

factorization of A/'(P) as a product of monic irreducible polynomials. For 1 < i < t, let 
(e^*^ , • • • , Gn} ) be the type of the restriction of ip"^ to the characteristic invariant subspace 
associated to Ni. We say that P has type: 

(iVi,(e;^)),...,e«),...,(Ar„(ef),...,eW)). 

As we have seen before, if P G A;[X, cr] is a monic polyomial, then the set of all fac- 
torizations of P as a product of monic irreducible polynomials is in bijection with the 
Jordan-Holder sequences for the (^-module Dp. It is also in bijection with all bases of Dp 
in which ip^' has Jordan form. This can be described in terms of the types of some factors 
of P, as we are going to explain now. 

First, we assume that A/'(P) = A^^ with A^ G k°'[X'^'] irreducible. Let (ei, . . . , e^) be the 
type of P. We denote by V the representation associated to Dp, with g the endomorphism 
through which acts on V. If W is any nonzero irreducible invariant subspace of V, the 
action g on W is given by the companion matrix of A^ in some basis. Let (ai, . . . , a^) 
be the dual sequence of (ei, . . . , e„) as defined in Remark IL4.131 

Lemma 1.4.15. Let 6 = degN. Let 1 < i < m such that i = m or ai > aj+i. Let iq be the 
smallest j such that a j = Oj. Then there are q^^^^^^ + q^'' + ■ ■ • + qi'^(*o~i) invariant irreducible 
subspaces V' of V such that the quotient V/V has a type whose dual is (ai,...,ai — 
l,ai+i, . . . ,ara) (or (oi, . . . ,0^-1) if i = m and am = I). 
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Proof. Denote by (ei,i, . . . ,£1,5, £2,1; • • • ,^2,5^ • • •) ^ basis of V in which the matrix of g has 
Jordan form. More precisely, for ah 1 < i < m, and for ah 1 < j < ti and 1 < I < 6, we 
have g{£j,i) = if {j, ^'^^ of the shape (j, 1) for some integer j > 2, or of the shape 

(j, (5) for some integer j > 1, g{ej,i) = esu,5 + e<5«+i,2 if J > 2, and gisj^s) = Yd=imej,h 
where Yl^i=i OiiX"^^^^^^ = N (it is the characteristic polynomial of the induced endomor- 
phism on any irreducible invariant subspace). 

There are iq — 1 Jordan blocks of g whose length is greater than the length of the i-th 
block. For A = (Ai,i, . . . , Ai,^, . . . , Ai,_i,5) G A:-^(^«-i), let vx = e^^,! + Ei=i 
Since two such vectors are not colinear, they generate distinct invariant subspaces 

Va, V^, which are clearly isomorphic to W . Moreover, the quotient V jVx has the same 
type as V^/V(o) because the map V ^ V that sends ej^^i to v\ and is the identity outside 
the invariant subspace generated by 1 is an isomorphism (its matrix is upper triangu- 
lar). One can build the same way invariant subspaces with quotients of the same type as 
generated by vectors of the shape £^0+1,1 + Yilj=\ Ya=\ ^i.^^ih • • • ' + Z]j=i Ya=\ 
There are exactly q^^o^^ ^ . . . -)_ invariant subspaces that are built in this way. Doing 
such constructions for each i satisfying the hypotheses of the lemma, we get exactly 
irreducible invariant subspaces, which means all of them. Among these subspaces, the ones 
for which the quotient has the requested shape are exactly the q^^'^o-'^) _|_ . . . _|_ ^^(i-i) 
for the first i we considered. This proves the lemma. □ 

In order to compute the number of Jordan-Holder sequences of g, consider the following 
diagram: 



1 


q^ ... 


qS{m-i) 


ai 


a2 







with ai > . . . > Om- An admissible path is a transformation of this table into another table 



1 



(5(m'-l) 





«2 






• 


either m' 


= 771 — 1, 



such that 



or m 



m, a. 



= aj for 1 < j < ?7i — 1, if Om = 1; 
Oj for all j ^ i, with 1 < i < m such that Oj > Oj+i. 



To such a path 7, we affect a weight w{'y), which is the sum of the coefficients written 
above the cells of the first table containing the same number Oj as the cell whose coefficient 
was lowered in the second table. Here is an example of a table and all the admissible paths 
with the corresponding weights: 



1 




g2S 


^3S 


2 


2 


2 


1 



1 



,25 



,35 



3 


2 


2 


1 


1 q^ 


^25 


3 


2 


1 


1 



1 q' q 



25 



By lemma [T.4.15l the weight of an admissible path from one table to another, is the number 
of irreducible invariant subspaces of an endomorphism g with type whose dual is given by 
the first table such that the quotient has the type given by the second table. Therefore, a 
sequence of admissible paths ending to an empty table represents a class of Jordan-Holder 
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sequences. Thus the number of distinct sequences in this class is the product of the weights 
of the paths along the sequence. Hence, the number of Jordan-Holder sequences for g is 
S(7i 7,-) 01=1 '^{li) the sum being taken on all sequences (71, . . . , 7,-) of admissible paths 
ending at the empty table (so r = Yl^=i ^j)- 

Corollary 1.4.16. Let P G k[X,a] be Qj Tilonic ctttlc polynoTRidl of dual type (o-i, • • • ftm)* 
Then the number of factorizations of P as a product of monic irreducible polynomials is 

E ri-(7.). 

(71,... 7t) admissible i=i 



Example 1.4.17. If P has type (e) (so that its dual type is (1, . . . , 1)), then there is only 



one admissible path, and the number of factorizations is [q^]e = Y[i= ~ ~ 



Example 1.4.18. If P has type (!,...,!), (so that its dual type is (a)), there is only 
one admissible path, and only one factorization. The formula also shows that polynomials 
of this type are the only ones that have a unique factorization. These polynomials have 
already been studied for their interesting properties, under the name of Iclm-indecomposable 
(see I Jac43| . Chap. 3, Th. 21 and 24 for properties, and |BU12| for applications). 

For the general case, there is no such nice formula, but we can still explain how to 
get the number of factorizations. By the Chinese remainders Theorem, y is a direct sum 
of invariant subspaces on which the induced endomorphisms have minimal polynomial 
that is a power of an irreducible. Here, the type of g is defined again as the data of 
{{Wi,Ti), . . . , {Ws,Ts)) where the Wi's are the distinct classes of irreducible invariant 
subspaces of V, and the T;'s are the tables representing the types of the endomorphisms 
induced on the corresponding subspaces of V. The notion of dual type can be defined as 
previously, as well as the notion of admissible path. 

Proposition 1.4.19. Let g be an endomorphism of an ¥q-vector space V . Assume that 
the dual type of g is ((Wi,Ti), . . . , {Ws,Ts)). Denote by 6i the dimension ofWi, and by Ti 
the sum of the coefficients in table Ti . Then the number of Jordan-Holder sequences of g 
is 

(ri,...,r,) 

the product being taken over all the s-uples (Fi, . . . , Tg) of admissible path sequences ending 
at the empty tables. 

Proof. From a chain of admissible paths ending at ((l¥^i, 0), . . . , (Ws, 0)), it is possible to 
extract its W^-part F^ for all 1 < / < s. By definition, it is the sequence of all the paths 
involving a change in the table associated to Wi. Such a chain is a sequence of admissible 
paths from T/ ending at the empty table. It is clear that the weight of the path sequence 
is the product of the weights of the F;'s. Therefore, it does not depend on the way the F;'s 
were combined together. The admissible path sequences that end at ((VFi, 0), . . . , (VF^, 0)) 
are all the different ways to recombine admissible path sequences from all the {Wi,Ti) 
to the empty table. The weight of such a sequence is the product of the weights of the 
W^-parts. There are as many recombinations as anagrams of a word that includes ti times 
the letter Wi for all 1 < / < s, Ti being the sum of the integers appearing in T;. The result 
then follows directly from the previous discussion an the fact that the number of anagrams 
of a word that includes r/ times the letter Wi is the multinomial coefficient . □ 
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Example 1.4.20. Assume g has dual type ((W^i, (ai)), • • • , (Wg, (os)))- It is easy to see 
that the only admissible path sequence for (Wi, (t;)) has weight 1. Hence the number of 
Jordan-Holder sequences of g is '. a""'^' ■ This generalizes remark [1.4.181 

Corollary 1.4.21. Let P G k[X,a] monic etale. Let ((Tyi,ri), . . . , {Ws,Ts)) be the type 
of P. Then the number of factorizations of P as a product of monic irreducible polynomials 
%s 

(T1 + --- + T,)! 



Ti! • • - rj 



(ri,...,rs) 



the product being taken over all the s-uples (Fi, . . . , Tg) of admissible path sequences ending 
at the empty tables. 

In the next section, we describe an algorithm for counting the number of factorizations 
of a skew polynomial relying on this theory. 

Remark 1.4.22. If M{P) is a power of an irreducible commutative polynomial A^, say 
M{P) = N"", then the type of P can be determined as follows: let Pi = P, and for i > 1, 
define Qi = rgcd{Pi, N) and Pi = Pi^iQi. Let m be minimal such that Qm+i = 1- Then 
for all 1 < i < m , N{Qi) = N^"- for some integer 1 < < r, and the type of P is 
(ei, . . . , e^). The type can also be determined by looking at the degrees of the successive 
rgcd's of P with N,N'^,N^,... 



2 Computational aspects 

This section deals with several computational aspects of skew polynomial rings. In the 
first part, we describe algorithms for arithmetics in these rings: multiplication, Euclidean 
division, gcd's and Icm's, and we give their complexities. Then, we give algorithms to 
compute the reduced norm of a skew polynomial as defined in the theoretical part. We use 
these algorithms and some other theoretical results to give a fast factorization algorithm. 
We give a detailed computation of the complexity of this algorithm. Finally, we describe 
algorithms for factorization-counting and random factorizations. 
Throughout this section, we will use the following notations: 

• MM(n) is the number of operations (in A;'^) needed to compute the product of two 
n X n matrices with coefficients in k'^ . 

• SM(n, r) is the number of operations (in k'^) needed to multiply two skew polynomials 
with coefficients in k of degree at most n. 

We recall that we have proved in ^2.1.11 that one can take SM(n,r) = d{nr^). Re- 
garding matrix multiplication, the naive algorithm gives MM(n) = O(n^) but it is well 
known that this complexity can be improved. For instance, using Strassen's algorithm, 
one have MM(n) = 0{n}°^'^'^). Today, the best known asymptotic complexity for matrix 
multiplication is due to Vassilevska Williams |Will2| and is about 0{n'^'^™). 

We use the common O notation: if / and g are two real functions defined on the integers, 
we say that /(n) = 0{g{n)) if there is some integer m such that f{n) = 0{g{n) log™'(n)). 

We also assume that all usual arithmetics with polynomials can be done in quasilinear 
time. In particular, we assume that all usual operations (basically addition, multiplication 
and inverse) in an extension of k"^ of degree d requires 0{d) operations in k'^ . We refer to 
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|GG03| for a presentation of algorithms having these complexities. Regarding the Frobenius 
morphism on k, we assume that all the conjugates of an element a ^ k can be computed 
in O(r^) operations in k'^ . 

2.1 Fast arithmetics in skew polynomial rings 

This section is dedicated to basic algorithms for arithmetics in skew polynomial rings. 
2.1.1 Multiplication 

Let j4, S E k[X, cj], both of degree < d. We give several algorithms to compute the product 
AB and we compare their complexities. 

The classical algorithm Let us recall that the classical algorithm of |Gie98| . Lemma 
1.1 (which throughout this section will be referred to as "Giesbrecht's algorithm") has 
complexity 0{cPr + dr"^). This algorithm uses the explicit formula for the coefficients 
of the product of two skew polynomials: if ^ = X^flo ^ ~ X]f=o^*^"' ' then 
their product is X^flg"^^ (^]=o ^j'^H^i-j)^ For each coefficient 6j of B, the list of the 
images of bi under all the powers of a can be computed in O(r^) operations in k'^. Hence, 
all the a^{bi-j) that may appear in the above formula can be computed in 0{d2r'^)- Once 
we have these coefficients, it remains to compute the product, which is done with 0{did2) 
operations in k, so the total complexity is 0{d2r'^ + did2r) . To write it more simply, if both 
polynomials have degree less than d, then their product can be computed in 0{dP'r + dr^) 
operations in /c°". 

Reduction to the commutative case Here, we use fast multiplication for commutative 
polynomials to multiply skew polynomials. Write A = X][=o ^i^*, with each Ai in 
For 0<i<r — l,we denote by -6^*^ the skew polynomial deduced from B by applying a* 
to all coefficients. Then we have: 

r-l 

AB = ^AiB^^X\ 

1=0 

Since Ai G it is easy to see that the product AiB^^^ is the same as the product of 

these polynomials computed in k[X]. The algorithm is the following: 

1. Compute the 

2. Compute all the products AiB^^\ 

3. Compute the sum AB = ^[Jg AiB^'^X'. 

Lemma 2.1.1. The number of operations needed in k'^ for the multiplication of two skew 
polynomials of degree at most d by the above algorithm is 0{dr'^). 

Proof. We may assume that both A and B have degree d. For step 1., we need to compute 
all the conjugates of the d coefficients of B, which can be done in 0{dr'^) operations in k'^. 
The multiplications of step 2. as multiplications of elements of k[X] can be done in 0{d) 
multiplications of elements of k, which corresponds to 0{dr) operations in k"' . The total 
complexity of this step is then 0{dr'^) operations in k'^ . Finally, there are less than 2dr 
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additions of elements of k to do in step 3., which is done in 0{dr'^). The global complexity 
is therefore 0{dr'^). □ 



Remark 2.1.2. This complexity is apparently better than those of Giesbrecht's algorithm 
(the term dr^ has gone) but we want to note that Giesbrecht's algorithm can beat this 
"commutative method" if the degree of B is much more less than the degree of A. Indeed, in 
that case the dominant term in Giesbrecht's complexity is did2r which can be competitive 
with dir^ if r is large compared to d2- 



We are now going to present two variants of Karatsuba's multiplication to the noncom- 
mutative case. Actually, it will turn out that the resulting algorithms are asymptotically 
slower than the "commutative method"; nevertheless, we believe that they can be better in 
some cases and, for this reason, we include them in this paper. 



The plain Karatsuba method Let A,B e k[X,a]. Write A = Aq + X"^''Ai and 

B = Bo+ X''"-Bi, with m = ^ "'^xldeg Adegi?} j ^j^^^ ^^.^g. 

AB = Cq + X'"'"Ci + X^^'^Ca, 

with Co = AqBq, Ci = AqBi + AiBq and C2 = ^i-Bi, because X"^^ lies in the center of 
k[X, a]. If we set P = (^0 + M){Bq + we get the fact that Ci = P - Co - C2. Hence, 
we can recover the product AB doing the 3 multiplications Cq = ^o-Bq, C2 = AiBi and 
P = {Aq + Ai){Bq + Bi). Let MS((i) be the number of multiplications needed in k" to 
multiply two elements of /c[X, a] of degree < d using this method. We get: 

/ d\ l°g(d/'-) 

SM(d, r) < 3 • SM ( - J < 3^^ • SM(r). 

/ , log 3 \ 

Hence, this method allows to multiply polynomials of degree < din timeO (-)i°g2SM(r) 
provided that d > r. Using Giesbrecht's algorithm for multiplication of skew polynomials 

/ log 3 2 log 3 \ 

of degree < r, we get a complexity of O ( d^°s^r i°g2 1 ^ which is around O ( ,^1 ■ 58^,1 -41 ^ 



The Karatsuba-and-matrix method The previous Karatsuba method relies on the 
classical multiplication for polynomials of degree < r. Here, we propose another fast 
multiplication method for polynomials of degree up to that can be combined with 

the Karatsuba method. 

Let A'^ G be the defining polynomial of the extension k/k^ . We will denote by t 

a root of N in k. By Lemma [1.2.3t the (^-module k[X, cr]/N is isomorphic to Air{k). Here, 
the isomorphism can be given explicitely. Indeed, the isomorphism of this Lemma maps 
A £ k[X, (t]/N to the matrix of the right multiplication by A in some basis of the A;- vector 
space k[X, (t]/N. Let us choose the basis 1, X, ... , X^~^. li a G k, the matrix of the right 
multiplication by a is given by: 



Ma 



(a ■■■ \ 
o-(a) ■■• : 

\o ••• a'-'^ia)) 
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The matrix of multiplication by X is: 



Mx 



/O 1 ••• 0\ 

■■• ■■• 

\ '■■ '■■ 1 

\t ■■■ oj 



So, if ^ = Y,T=o aiX' G k[X, a], the image of A (mod N) can be computed easily by the 
previous isomorphism. More precisely, write A = Yll=o ^i-^^ with Ai € of degree 

< r. Then the matrix of is: 



Ma 



( Mt) 

tAi{t) 

\tAr-l{t) 



(j{Ar-l){t) 

a{A,){t) 



a 



■r-l 



(Aim \ 



ta^-'{Ai){t) 



T-l 

r-l 



a' '{Ar-im 



a 



The matrix Ma can be computed as follows. We first evaluate all the polynomials 
Ai's at all the conjugates of t. Using efficient algorithms (see |GG03| . §10), it requires 
O(r^) operations in k'^ . We can then compute a^{Ai){t) by applying to Ai{a~^{t)). 
Computing all these quantites requires O(r^) further operations in k'^ . Then to obtain 
Ma, it remains to multiply some of the previous coefficients by t, which requires at most 
O(r^) further operations in k'^ . Computing Ma can then be done with complexity O(r^). 

We can go in the other direction following the same ides. We first divide by t all 
coefficients above the diagonal of Ma- We then apply to the first column, cr''"^ to the 
second column, . . ., cr to the last column and, finally, recover the ^j's by interpolation. As 
before, the complexity is O(r^) operations in k'^ . 

Once noticed these facts, the idea is quite simple: let A,B£ k[X,a] of degree < 
We compute the corresponding matrices Ma, Mb, then the product MaMb and finally 
recover the coefficients of (the reduction modulo N) of AB. This whole algorithm can be 
done in 0{r^) operations in k'^ . 

Combining this with Karatsuba multiplication (but using this as soon as we hit poly- 
nomials of degree < r^/2), we get: 



SM((i,r) = 0((^)i^.SM(4,r)) 



~ , log 3 4 2 log 3 

0(di°g2;r l°g2 ) 



provided that d> r"^. This is about 0{d 



1.58^0.83 



Remark 2.1.3. The most expensive step of the previous algorithm is the application 
of the Frobenius. Hence, if we are working over a finite field where applying Frobenius 
can be done efficiently, our complexity may decrease to 0(r • MM(r)) — which beats the 
"commutative method". If we take MM{r) = 0{r'^''^™), the resulting final complexity 
becomes 0(d^-^^r°-^). 



2.1.2 Euclidean division 

Let A,B k[X,a] with degvl > deg-B. We want to compute the right- Euclidean division 
of A by B: 

A = QB + R, 
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with degi? < deg-B. The fohowing algorithm is based on the Newton iteration process 
presented for example in |GG03) . §9.1, which uses reciprocal polynomials. Our algorithm 
is an almost direct adaptation of it, the only subtlety here is that the map sending a skew 
polynomial to its reciprocal polynomial is not a morphism. 

Lemma 2.1.4. For n > 0, we denote by k[X,a]<n the subspace of skew polynomials of 
degree at most n. Let 

Tn : k[X,a]<n k[X,a~'^]<n 

n n 
i=0 i=0 

Then Tn is k-linear, bijective, and for all P,Q(^ k[X,a], with degP < n and degQ < m, 
we have: 

rn{P)rM^^^)=rm+n{PQ)- 

Proof. The /c-linearity is trivial, as well as bijectivity. Let P = X^^^q ^i^* ^^'^ Q — 
X^jLo ^j-X'' ■ Then the coefficient of in the product PQ is 

i+j=i 

Hence, the coefficient of in Tm+n{PQ) is Cn+m-l = Y!,i+j=i'^n-iO'"'~'^{bm-j)- This is 
clearly the coefficient of in the product Tn{P)Tm{Q^'^^), computed in k[X,a^^]. □ 

Let us now describe the Euclidean division algorithm. Let n = degA and m = degB. 
According to the previous formula, if ^ = QB + i? is the right-Euclidean division of A by 
B, we have: 

Tn{A) = Tn-m{Q)rm{B^^''-"''^) + Tn{R). 

Since deg ii < m, Tn{R) is divisible by X"^™"^^. The idea is to compute an approximation 
of the left-inverse of B = Tm{B^"~'^^) in klX, o'^^j (the ring of skew power series, which is 
defined in the obvious way, and is only used here to sketch the idea of the algorithm) . Once 
we get such an approximation Q, truncated at precision X"""*, we know that Tn{A)QB — 
Tn{A) € X^~^k[X,a^^], and by applying t~^, we get the quotient Q. 

Computing successive approximations of Q is done by Newton iteration: let Bq be the 
constant coefficient of B, we define Qq = B^^ , and Qi+i = SQj — QiBQi, truncated at 
X^\ 

Lemma 2.1.5. For alii > 0, QiB - 1 G X"^' k[X , a''^] . 

Proof. The proof goes by induction on i. By construction, QqB — 1 € Xk[X,a^^]. Now 
assuming that the result is true for some i > 0, we have: 

Qi+iB - 1 = 2QiB - QiBQiB - 1 = -(1 - QiBf G X'^'^'k[X, a'^] 

and we are done. □ 

Proposition 2.1.6. The algorithm REuclideanDivision returns the quotient and remain- 
der of the right- division of A of degree n by B of degree m in 0(SM(n, r)) operations in 
k". 
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Algorithm 1: REuclideanDivisioii 



Input: A,B e k[X,a] with deg^ > degB 

Output: Q,R £ k[X, a] witii deg R < deg B such that A = QB + R 

1 n = deg A; m = degB; 

2 B = r^(S(")); 

3 Q = Coefficient (S,0)-i; 

4 i = 1; 

5 while i < n — m + I do 



Q = 2Q- Q{B (mod X'))Q (mod X^'); 
i = 2i- 



8 Q = (r„(A) (mod (mod X""™); 

9 Q = T'l^iQ); 

10 R = A- QB; 

11 return 



Proof. We have already seen that the result of this algorithm is correct. In order to compute 
B, 0{mr'^) operations are needed. The while loop in the algorithm has log2(n — m + 1) 
steps, and at the i-th step, we compute the product of skew polynomials of degree 2*, so 
the global complexity of this is X^l^o''" "^^^^ SM(2*,r) = 0(SM(n — m,r)). Computing 
{Tn{A) (mod X"'~'™))Q has the same complexity. Finally, we compute the product QB in 
SM(max m,n — m, r) operations, and R = A — QB in 0(SM(n, r)) operations. □ 

2.1.3 Greatest common divisors and lowest common multiples 

This section describes an algorithm adapted directly from Algorithm 11.4 of |GG03) . to 
compute the right-gcd R of two skew polynomials A and B, together with skew polynomials 
U, V such that UA + VB = R. As we have seen before, this also gives almost directly the 
left-lcm of A and B. 

This algorithm relies on the fact that in the Euclidean division, the highest-degree 
terms of the quotient only depend on the highest-degree terms of the dividend and divisor. 
If ^ G k[X, a] and n G N, with A = Yfi=Q a-iX' of degree d, we set = Yli=o ad-iX'^~\ 
with the convention that aj = for j ^ {0, • • • Then, for n > 0, 74(„) is a skew 

polynomial of degree n, and for n < 0. Note that for all i > 0, (74A'')(„) = 

Definition 2.1.7. li A,B,A*,B* G k[X,a] with degA > degfi and deg^* > degB*, 
and n G Z, we say that {A,B) and {A*,B*) coincide up to n if 

1. Ai^n) = 

2- -B(„_(dogP-degQ)) = -^(n-(dogP*-dogQ*)) 

Then we have the following: 

Lemma 2.1.8 f[ GG03| . Lemma 11.1.). Let neZ, {A,B) and {A*,B*) G {k[X,a] \ {0})^ 
that coincide up to 2n, with n > deg^ — degi? > 0. Define Q, R,Q* , R* as the quotient 
and remainder in the right- divisions: 

A = QB + R, with deg R < deg B , 
A* = Q*B* + R* with deg R* < degB*. 



19 



Then Q = Q* , and either {B,R) and {B,R*) coincide up to 2(n — degQ) or R = or 
n — deg Q < deg B — deg R. 

Now, we want to carry this approximation further down the sequence of quotients when 
doing the Euclidean algorithm. For ^Oi^ii^O'^i ^ a] monic, with deg^o > degAi 
and deg^Q > deg A*, we write: 

Ao = Q1A1+P2A2, A*Q = QlAl + p*^A*^, 

Ai_i = QiAi + pi+iAi+i, A*_^ = Q*A* + p*^^A*^^, 

Ai-i = QeAi, ^e*-i — Q}*^}*i 

with for all i, degAj+i < degAj, with pi € and Ai monic. From this sequence, we 
define for 1 < « < ^, w-j = degQj, rii = degAj, and for n € N, 

r}{ri) = max < < j < £ | rui <n 

We define analogously m* , n* and 77* . Then the following lemma quantifies how much the 
first results in the Euclidean algorithm only depend on the highest-power terms of the 
entires; 

Lemma 2.1.9 QGGOS) . Lemma 11.3.). Lei n G N, /i = r/(n) and h* = r]*{n). If{Ao,Ai) 
and {Aq, a*) coincide up to 2n, then h = h* , Qi = Q* and pj+i = p*j^^ for 1 < i < h. 

Let us now describe the extended Euclidean Algorithm. 
Algorithm 2: FastExtendedRGCD 
Input: Aq,Ai G k[X,a] monic, uq = deg^o > deg^i = ui and n G N with 
< n < np. 

Output: M G M2{k[X,a]) such that M = ( ^ with h = ?7(n). 

1 ii Ai = or n < riQ — Hi then return 0, 



Ai J \Ah+i 
1 



V' 

2 d = [n/2j; 

3 R = FastExtendedRGCD(i2o(2rf)!-Ri(2d-{no-ni))'2(i, 2d - (no - ni),d); 

5 if A[ = or n < uq — Uj then return R; 

6 Qj = A'q/A'^; p'2 = LeadingCoefficient ( mod A'^); 

7 ^'2 = {p'2)-HA'q mod ^'1); n'2 = deg 4; 

8 d* = n — (no — n'^); 

9 5" = FastExtendedRGCD (^;, yl^, 2d*, 2d* - {n[ - n'2), d*); 

11 return S ■ Mj ■ R; 

When executed for n = uq, the above algorithm gives an immediate way to compute the 



right-gcd and left-lcm of Aq and Ai. Indeed, in this case, we get a matrix M 
such that UqAq + UiAi = rgcd(ylo, vli), and VqAq = -ViAi = llcm(Ao,^i)- 
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Theorem 2.1.10 ( |GG03| . Theorem 11.5.)- The algorithm FastExtendedRGCD works cor- 
rectly and uses at most 0(SM(n, r) logn) operations in k'^ if Aq has degree d < 2n. In 
particular, it allows to compute the rgcd and Hem with 0(SM((i, r)) operations in k"' . 

Proof. The proof for correctness is exactly the same as the one in [GG03| and rehes on 
the previous two lemmas. Let us give more details about the complexity of the algorithm. 
Denote by T{nQ, ni,n) the time needed to call FastExtendedRGCD on two skew polynomials 
Aq,Ai of degrees no,ni, with parameter n. Set d = [no/2j. Then we have: 

T{no,ni) < T{2d,2d - {no - ni),d) + T{2d* ,2d* - {nj - nj_i),d*) + 0{SM{d,r)). 

The term SM(no,r) here comes from the multiplications needed from matrix multipli- 
cations (all the polynomials in these matrices have degree at most uq) and one due to 
the Euclidean division algorithm. The result follows by induction from the fact that 
d*=\n/2]. □ 

2.2 Computing the norm 

In this section, we give algorithms to compute the reduced norm of a skew polynomial. Let 
N = Ni^/i^a- be the norm from k to k"^. Let P € a] of degree d. We give two different 
ways to compute the norm, depending on whether d is greater or smaller than r. Let us 
start with the first case, d < r: 

Proposition 2.2.1 ( |Jac96| . Proposition 1.7.1). Let P G k[X,(T] of degree d < r, P = 
J2i=oaiX\ Then 

M{P) = i-iy^Niao) + (-l)'-('^-^)7V(ai)X'- + • • • + N{ad)X'"^. 

This Proposition gives a direct way to compute J\f{P): this is done by computing the 
norms of its d coefhcients. Since all the conjugates of an element of k can be computed 
in 0{r'^) operations in k" , and the product of r elements of k requires O(r^) operations in 
A;'^, the norm of an element of k can be computed in O(r^) operations in k^ . Hence, by 
Proposition 12 . 2 . ll we get an algorithm to compute M{P) in 0{dr'^) operations in k^ when 
r < d. 

Let us now address the case d > r. We use the fact that N{P) is the determinant of 
multiplication by X"^ on Dp, seen as a A;[X^]-module. Let t G A; be a primitive element 
over k^ , and let vr^ G k^lX"^] be its minimal polynomial over k^ . Let Rq G ^'^[X''] be 
a polynomial of degree n > d/r. Let R be the polynomial obtained by composition: 
R = TTtoRQ. We work in the ring A = k'^[X'']/R. 

The idea is the following: if R is irreducible, then ^ is a field extension of k'^ , and 
there is a natural embedding of k into A, mapping t to Rq. Then we can write the matrix 
of multiplication by P in k[X,a] seen as a module over and map it to a matrix 

with coefficients in A. Then we can compute the determinant of this matrix, which is the 
image v of the norm of P by the map /c[X''] — )• A. Since it is known to be a polynomial 
with coefficients in k'^ of degree d, and since [A : k'^] > d, the coefficients of the J\f{P) are 
exactly the coefficients of i' written in the canonical basis of A. 

Actually, all of the above still holds if A is not a field, except that we may not use algo- 
rithms for determinants over fields to compute v. However, we can still obtain this determi- 
nant efficiently by computing the Hermite normal form of the matrix of multiplication by P 
in the Euclidean domain A. So in practice, all we have to do is write the matrix of multipli- 
cation by P as a matrix with coefficients in A;[X'']. Write P = Pq + + • • • + Pr-iX^~^ . 
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As stated in the proof of Lemma I1.4.H in the canonical basis 1,X, . . . , ^, the matrix 
of multiphcation by P is: 

/ Po X'a{Pr-i) X'a^-\Pi) \ 

Pi aiPo) ••• ••• : 

\Pr-l CT'-HPo) J 

We map this matrix to A by taking X^ to its residue class modulo R, and t to Rq (mod R). 
Then, we compute its determinant i/ (using Smith normal form), and we can read the 
coefficients of A/'(P) on z^. 

If P has degree d, the complexity of these operations is: 0{dr^) operations to compute 
all the conjugates of the P,'s under the action of the Frobenius. Multiplication by X^ is 
free in A;[X'']. This yields a total of 0{dr'^) operations to compute the matrix, and then 
0{dr^) operations in k" to get its determinant. Hence, P can be computed in 0{dr^) 
operations in k" . 

To sum it up, if r < d, then we can compute M{P) in 0{dr'^), and if r > d, we can 
compute it in 0{dr^) operations in . 

2.3 A fast factorization algorithm 

Let P G a] be a monic polynomial. Our aim is to give an algorithm to compute a 
factorization of P as a product of irreducible skew polynomials. The idea of the algorithm 
is to reduce that problem to the problem of factoring polynomials of type (e) (using rgcd's 
with factors of the norm of P) and then to factor polynomials of type (e). For the sake of 
brevity, in the algorithms we will use the notation A /B for the quotient of the right-division 
of A by B. 

Reduction to the type-(e) case 

The following algorithm recursively computes the rgcd of a polynomial P with a central 
polynomial (whose irreducible factors are all irreducible factors oiJ\[{P)) and writes it as 
a product of polynomials of type (e) (for some integer e depending on the factor). 

Factoring a polynomial of type (e) 

Let us now explain how to factor a polynomial P of type (e). Clearly, M{P) = with 
G k'^[X^] irreducible. In this case, we know that P is a divisor of A^, we write PQ = N 
and win work with k[X,a]Q/{N) rather than k[X,a]/k[X,a]P. Let R G k[X,a]Q/{N). 
Right-multiplication by R is an endomorphism of k[X,a]Q/{N) that is a vector space 
of dimension e. Hence, there exist Ao,...,Ae-i € E such that R'^ = X^i=o AjP*. Now 
assume that F{T) = — YliZo € E\T\ has a root a (z E. Then P — a is a zero- 
divisor in k[X,a]Q/{N). Indeed, a is an eigenvalue of multiplication by R, so there exists 
some S G k[X,a]Q/lN) such that S{R - a) is zero in k[X,a]Q/{N). Write R = RQ and 
S = SQ, then S{QR — a) is divisible by P, so that the right gcd of QR — a is a divisor 
of P. Moreover, if a is the only eigenvalue of the multiplication by R (with multiplicity 
one), then this divisor is irreducible. We will see that this happens with good probability. 
Once we get an irreducible factor, we can proceed recursively to factor P. However, we 
can also use a slightly more efficient trick relying on the knowledge of an irreducible factor. 
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Algorithm 3: Type_e_Factorization 



Input: P e k[X,a], {Ni, . . . , Nm) irreducible such that N{P) =\{Ni, ordered by 

nondecreasing degree 
Output: Pi^i,Pi^2,---,A,mi,---,^'n,i,---,-Pn,m„ £ k[X,a\ and 

Ni,... ,Nn G k''[X'''] irreducible such that P = Hi Wj Pij and each Pjj 

has type ej and norm N'^^ 

1 di = deg A''i ; 

2 for l<i<m — Ido dj+i = + deg A^i+i; 

3 d = dm', S = d/ log d] 

4 1 = min{l <j<m — l\dj>d + 6/2}; 

5 if [d - S/2, d + 6/2] n{di,..., dm-i} = then 

6 j = ni; 

7 while J > i do 

8 Pj=Tgcd{P,Njy, 

9 J = J - degPj/degiV,-; 
10 \_P = P/Pj; 

return Type_ e_ Factorization(P, {Ni, . . . , Ni^i)), {Pj \ i < j < m}; 



11 
12 else 

13 
14 
15 



M = Ni---Nm; 



Qi =rgcd(P,M); Q2 = P/M; 
return Type_ e_Factorization(Q2, (Ni, . . . ,Ni)), 
Type_ e_ Factorization{Qi , {Ni, . . . , Nm))', 



Assume we know an irreducible right factor Pi of P, and write P = P2Pi- Let R G k[X, a] 
and let A = rgcd(P, PiQR). Now let P = ncm(^, Pi) = PPi. Since P is a right multiple 
of both Pi and j4, P is a divisor of P. Hence, P is a divisor of P2. In general, A and 
B should have the same degree as Pi, yielding an irreducible factor of P2. The precise 
probability study will appear in §2.4.21 The following two algorithms describe how to factor 
a polynomial P of type (e): the first one finds one irreducible factor of P, and the second 
one performs the "1cm trick" to factor P as a product of irreducibles given one irreducible 
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right factor. 
Algorithm 4: FirstFactor 



Input: {P,N) G k[X,a] x k^lX"^] such that of type (e), Af{P) = and AT is 
irreducible 

Output: An irreducible right-divisor of P 

1 E = A;^[X'-]/(Ar); 

2 Q = N/P; 

3 while true do 

4 R = RandomElement(A;[X, a]/k[X, a]P); 

5 Rq = RQ', 

6 for 0<z<e — Ido Ri+i = RqRi-, 

7 Find Ao, • • • , Ag-i G E such that R^ = X]^=o -^i-^*; 

8 F{T)=T^ -Y^tl^iT'; 

9 if F /las a simple root a in E then 

10 Pi = rgcd(P,Q^-a); 

11 return PI; 



Algorithm 5: FactorStcp 



Input: (P,iV,Pi) G k[X,a\ x A:<^[X''] such that of type (e), 7V(P) = iV^ is 

irreducible and P\ is an irreducible right factor of P 
Output: Irreducible polynomials Pi, . . . , Pg such that P = Pg - ■ ■ Pi 

1 Q = N/P; 

2 for I < i < e — 1 do 



3 
4 
5 
6 
7 
8 
9 



while true do 

P = RandomElement(fc[X, a]/k[X, cr]P); 

^ = rgcd(P,PiQP); 
P = 11cm (Pi, A) /Pi; 
if deg P = deg Pi then 
Pi = B; 
breEik; 



10 return Pi, . . . , Pe/ 



Glueing together the three previous algorithms, we get a complete factorization algo- 
rithm. We assume that the function Factorization returns the factorization of a (commu- 
tative) i)()l\'rioniial as a. |")r<)ducl of irreducil^le iiolytiomials ordc^rcd l)y (lu-ir dc^grcH's. 



Algorithm 6: SkewFactorization 



Input: P G k[X,a] 

Output: A list of irreducible polynomials (Pi, . . . , Pm) such that P = Pm • • • Pi 

1 N = M{P); 

2 iVi • • • Njji = Factorization(iV); 

3 (Gi,i, . . . , Gn,mJ = Type_e_Factorization(P, (A^i, . . . , AT^)); 

4 for 1 < i < m do 



for I < j <mi do 

|_ Pij,i, . . . , Pi,j,eij = FactorizationStep(Gjj, Gi); 



7 return (Pj^y); 
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2.4 Complexity 

In this section, we analyze the complexity of the factorization algorithm. The complexity 
will be expressed in terms of the degree d of the skew polynomial that is to be factored, 
the degree r of k/k'^ , and the cardinal q oi k'^. 

2.4.1 Complexity of the steps 

Let us detail the complexity of the steps of our factorization algorithm. 

Type-(e)-factorization We have the following lemma, giving the complexity of the al- 
gorithm Type_e_Factorization. 

Lemma 2.4.1. Let P G A;[X, cr] and let Ni, . . . , AT^ G A;^[X''] be irreducible polynomials 
such that P divides Ni ■ ■ ■ Nm in k[X,a]. Then the algorithm Type_e_Factorization 
applied to P and iVi, . . . , returns a correct result with 0{dr^) operations in k'^ . 

Proof. Let us prove the result by induction on d. Let (iVi, ai), . . . , {Nm, o-m) be the irre- 
ducible polynomials that are given as arguments, and 6i = degiVj for 1 < i < m. We 
assument that the TVj's are ordered so that the sequence of Si is nondecreasing. There are 
two cases to look at. 

If there exists 1 <i <m and 1 < a < Oj such that 

|:aA+a^.e[^(l-^),^(l + ^) 

then we choose the minimal (i, a) (for the lexicographical order) having this property. We 
write Ni = N^]Xj^\Nj\ and iV^ = N/Ni. Then we write Pr = rgcd(P,A^^), and define 
Pi as the quotient in the right-division of P by Pr- The algorithm is then applied to 
{Pi,Ni, (iVi,ai), . . . , {Ni, a)) and {Pr, Nr, {Ni,ai - a), ... , (7V„, a„)). 

The number of operations needed for this is denoted by C{d, r). In this case, we have: 

C{d, r) < 2C (^d (^1 + ^ j , r j + d{SM{dr, r)). 

Indeed, the operations we have to do before starting the recursive steps are: computing a 

product of (commutative) polynomials in /c'^[X^] such that the sum of their degrees is less 

than (i ^1 + j^^g-g^ , computing the right gcd of P with a polynomial of degree less than dr, 
and dividing P by this gcd. The most expensive part is the computation of the gcd, and 
it costs d{SM{dr,r)). 

In the other case, there is no {i,a) such that 

d / 1 \ d 1 



> aiOn + aOi G - 1 — 



log d / ' 2 \ log d J _ 

Hence, for (i,a) such that + aSi > ^ (^1 + j^^, we know that Si > and 

there are at most log d such couples (z, a). In this case, the algorithm is to compute A^;, Nr 
as before, and then the successive gcd's of P the A'j's having the previous property, and 
apply the algorithm with the last quotient Pi and Ni. 
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There are at most logd rgcd's of a skew polynomial of degree at most d with skew 
polynomials of degree at most dr, which takes 0{SM{dr,r)) operations, and all the other 
computations are cheaper than this. Again, we have: 

C{d,r) < C (^d(^l + :^^ +d{SM{dr,r)) 

< 2-C (^d(^l + r^^ +d(SM{dr,r)). 

Let us assume that the 0{SM[dr, r)) appearing in tlie above inequality is < cdr'^ log" d for 
some constants c,a (we use the fact that SM{d,r) = 0{dr'^)). We are going to show that 
there exists a constant c' such that 

C{d, r) < c'dr^ log"+^ d. 

We want to have: 

^^"•'^ ^ ^4 + tob) (5(1 + 1^))+ '*''°^°<'- 

This implies that: 



C(d, r) < c'dr^ log"+^ d{l- + o( -^—] 1 + c'dr^ log'* d + cdr^ log"+^ d. 

* logd Vlog rf; 



If we choose c' such that c' + c — c'{a + 1) log 2 + O (^j^^r^j < for d large enough, then 
induction shows that for d large enough, 

C{d, r) < c'dr^ log"+^ d. 

Since it is possible to choose such a c', the proof is complete. □ 



FirstFactor We shall detail the complexity of all the steps of this algorithm. In the 
following, P has type (e) and norm N'^, with e < r. The degree of iV as an element of 

k'^[X^'] is 5, so that the degree of P is 5e. 

1. Compute Q G /c[X, cr] such that PQ = N. This Euclidean division can be done with 
complexity SM(dr, r). Note that this step is done only once even if the loop fails to 
find a divisor. 

2. Choose a random element R G k[X, a]/k[X, a]P and compute RQ, . . . , {RQY modulo 
N. This requires e multiplications of skew polynomials of degree 5r plus one reduction 
modulo N at each step. After having remarked the reduction modulo of a skew 
polynomial is equal to its reduction modulo A^ in the ring of usual polynomials, we 
see that it costs only 0(5^r) operations in . The whole cost of this step is then 
0(e-SM((5r,r)). 

3. Find a linear dependence between the powers of RQ of the following for: 

e 

Y,ai{RQf = Q. (1) 
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where ah aj's are in E. Even though the element {RQY naturally live in a space of 
dimension over E, we know the first e of them are linearly dependent, and we can 
work in a vector space of dimension e over E by projection. Hence, the complexity 
of this step is 5-MM{e). 

4. Check whether the polynomial F{T) = X]i=o (where the a^'s are defined by 
formula ([T|)) has a root in E. For this, it is enough to compute the gcd of F with 
T#E _ J. No^ij^g ^^Ymi i^E = with q = i^k", we can first compute modulo 
F(T) by first raising T to the q-th power modulo F{T) (using classical fast exponen- 
tiation) and then performing 0(log5) modular compositions. Using Corollary 5.2 
of [KU08J . this can be done in 0{6log^ q + e^^^ {6 log q)^~^°^^^) bit operations, for all 
e > (the first term corresponds to the fast exponentiation and the second to the 
modular compositions). It then remains to compute the gcd of two polynomials over 
E of degree < e, which can be achieved with 0{e6) more operations in k"^. 

5. Compute the right gcd of P with a skew polynomial of degree 6r, which costs 
0{SM{5r,r)) operations in Note that this step is done only once even if the 
loop fails to find a divisor. 

Since any operation in k'^ requires O(logg) bit operations, the total complexity of this 
algorithm is 

0(SM((5r, r) • e log g + MM(e) • 5 log g + (5 log^ q + log q^^"^^^) 

bit operations. Using SM(n, r) = 0{nr^) and MM(n) = 0{n'^) and noting that e < r, this 
becomes 

d{6er^ logq + 6 log^ q + e^+" {6 log q)^+"^^'^ ) 

for all e > 0. We will see in ^2.4.31 why the probability of failure is bounded from below 
independently on the data of the problem. 

Factor Step This algorithm computes a factorization of P (still of type (e)) when P, 
knowing a factor of P. The next irreducible factor is computed with one rgcd and one 
11cm between polynomials of degree at most 5r. This operation may fail (in which case, we 
repeat it with a new random input) but we will see in the next section that the propability 
of failure is very small. Hence, in order to compute the complexity, it is safe to assume 
that failures never append. As it is shown in §2.1.10| this has complexity 0{SM{5r,r)). 
Hence the complexity of this step is ©(Jr"^). 

2.4.2 Global complexity 

Let us sum up all the previous step complexities to give the complexity of the whole 
factorization algorithm. 

Theorem 2.4.2. The algorithm SkewFactorization runs in 

d{dr^ log q + dlog^ q + d^+' (log q)^+"^^'^ + F{d, k")) 

hit operations to factor a skew polynomial of degree d. Here, F(d, K) denotes the complexity 
of the factorization of a (commutative) polynomial of degree d over the finite field K. 
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Proof. Computing the norm of P € A;[X, cr] of degree d takes 0{dr^) operations in k'^. 
Factoring the norm Af{P) (that has degree d as an element of takes by definition 

F{d,k^) operations in . Then, the algorithm Type_e_Factorization runs in 0((ir^) 
operations in k" . Let Pi, ... , Pm be the factors of P obtained after Type_e_Factorization. 
Assume that Pj has type and degree 6161. Then for each z, the factorization of Pj takes 
0{5ieir^\ogq + 5iei\o^ q + e^~^''{5\ogqY^°'^^^) bit operations (it uses FirstFactor and 
FactorStep). So, to factor P given its "type-(e)-factorization", we need 0{dr^\ogq + 
dlog^g + d^^"^ ilogqY'^"^^^) bit operations. Putting all the steps together, we get the 
desired complexity. □ 

Remark 2.4.3. Of course, this result is true provided that the probabilities of success of 
the probabilistic parts of the algorithm are bounded from below independently of d and r. 
This is what we will show in the next part. 



2.4.3 Probability of finding a factor 

The function FactorStep finds an irreducible factor of P whenever the random endo- 
morphism "multiplication by P" has exacly one (simple) eigenvalue in E. By Corollary 
11.4.81 if R is uniformly distributed in k[X,a\Q/{N)^ then is uniformly distributed in 
End(A;[X, (t]Q/(A^)). Therefore, we want to evaluate the probability for an endomorphism 
of a E'-vector space of dimension e to have a unique eigenvalue in E. 

Let Bd be the probability that a d x d matrix with coefficients in E has as a simple, 
unique eigenvalue in E. Obviously, setting q = i^E, this is | times the probability that a 
d X d matrix has a simple, unique eigenvalue in E. We can write: 

1 _ J- A 



1-i 



where Ai denotes the probability that aixi matrix with coefficients in E has no eigenvalue 
in E. 

Let us now detail how to obtain a bound on Ai. By |!NP98], Theorems 4.1 and 4.2, we get 
the formula for the generating series: 



+00 ^ 
1=0 



where G{z) = (l - \ If we write G{z) = ^.Qz', then for ah i > 0, Ai = 

Lemma 2.4.4. We have the following formulas: 
. Ao = Co = l 
• Ci = l 

Proof. The first two assertions follow easily from identifying the coefficients of 1 and z in 
the power series G. For the third formula, identifiying the coefficient of gives: 

+^ (g-l)(g-2) , ^{q-lf 
^2 = 2^ :roi + 2^ 



2q2i jL^ qi+j 

i=l ^ i<j ^ 
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The result then follows from the usual formulas for sums of geometric progressions. □ 
Next, remark that: 

+00 . . g_i +00 / 1 \ 9-1 

1=0 i>l ^ ^ i=0 «>1 ^ 

Combining both expressions, we get: 

+00 , .q-l , .q-l 

2.Ec...^n -n • 

i=0 i>l ^ ^ ^ i>\^ ^ ^ 

Studying the function q 1— >■ nj>^(l + q~'^)'^~^ — nj>i(-'- ~ q~^)'^~^ are non-decreasing, 
we find that the the sum Ylt^ C2i+i is smaller than its limit when q goes to infinity: 

gc.„a(.-i). 

Now, it is clear that for all i > 0, Ai > Co + C2 - J2t^ Csi+i = 1 + - 5 " i) • 

Note that this quantity is > 0.15 for all q, and > 0.3 when q > 23. 



2.4.4 Probability of finding another factor 

As usual, we assume that P is a right-divisor of € A;'^[A'^'] irreducible, with A/'(P) = N"^ 
and degA^ = S. We have seen that once we know an irreducible factor of P, there is an 
easy way to factor it without using FirstFactor again. The following lemma makes this 
more precise: 

Lemma 2.4.5. Let P = P2P1 with Pi irreducible and P2 reducible, and let R be a random 

variable following the uniform distribution on k[X,a]. Let A = rgcd{P, PiQR) and B = 
llcm{A,Pi) = BPi. Then the probability that B is an irreducible right factor of P2 is at 

ieast 1 - 

Proof We work in A;[A,cr]/A^. Remark then that AQ = rgcd{N, Pi QRQ) and that 
B = llcm{AQ , PiQ) . We see the multiplication by RQ as an endomorphism niRQ of 
k[X,a]Q/N. Since R follows the uniform distribution, so does ruRQ. Remark that 
fnRQik[X, a]PiQ /N) is a sub-(/?-module of k[X, o']/Q. It is actually equal to k[X, a]AQ/N. 
Indeed, k[X,a]PiQRQ C k[X,a]AQ, and AQ £ k[X,a]PiQRQ/N by definition. Then, 
we remark that the projection along k[X, a]P2 onto k[X, a]PiQ/N maps the sub-(^- module 
UQk[X,a]/N to llcm(C/, Pi)Q/c[A, cr]/Ar. In particular, BQk[X,a]/N is the projection of 
mRQ{PiQk[X, cr]/N) onto k[X, a]PiQ/N. Therefore, B is an irreducible right-factor of P2 
unless mRQ{k[X,a]PiQ/N) = k[X,a]PiQ/N. Since niRQ is uniformly distributed in the 
endomorphisms of Dp and k[X, a]PiQ/N has cardinal q'^^^^~^^ while Dp has cardinal q'^^^ , 
this happens with probability ^dil-i) ■ ^ 

2.5 Other algorithms related to factorizations 

In this section, we give some more details on other algorithms that could have interesting 
applications. The theoretical material on which they rely is only what appears in previous 
sections. 
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2.5.1 Counting factorizations 

This algorithm uses the formula given in corollary II. 4. 211 and is recursive. First, we give 
the algorithm computing the number of factorizations of a skew polynomial as a function 
of its type: 

Algorithm 7: CountFactorizationsStep 
Input: (6, (ei, . . . , e„)) an integer and a nonincreasing sequence of integers 
Output: The number of factorizations a skew polynomial whose norm is a power of 
an irreducible of degree 5 and that has dual type (ai, . . . , a„) 

1 h = l; 

2 for 1 < i < n do 

3 if (i = n) or (ai > Oj+i) then 

4 j = min{/ I ai = ai}; 

5 h = h X CountFactorizationStep ((^, (ai, . . . , aj-i, at — 1, Oj+i, . . . , a„)) 

6 _ X {q^^ + ■ ■ ■ + q^'); 

7 return h; 

The following algorithm gives the number of factorizations of a given skew polynomial 
as the product of its leading coefficient and monic irreducible skew polynomials. We assume 
that we have a function DualType that computes the dual of a nondecreasing sequence of 
integers. 

Algorithm 8: CountFactorizations 
Input: P G k[X,a\ 

Output: The number of factorizations of P as a product of its leading coefficient 
and monic irreducible polynomials 

1 N =M{P)-, 

2 ([iVi, di], • • • , [Nt, dt]) = Factorization (iV); 

3 /i = 1; T = 0; 

4 for 1 < i < t do 

5 = deg(A^i); 
A = TgcA{P,Ni); J = 1; 
while A / 1 do 

_ deg_A. 
^3 — <5 ' 

P = PI A; 
^ = rgcd(P,Afi); 
J = J + 1; 



5 
6 
7 
8 
9 
10 
11 



12 
13 
14 



r = r + ei H h ej-\\ 

a = DualType(ei, . . . ,ej_i); 
^ = (ei+...+e' i)! ■ CountFactorizationsStep ((5, a); 

15 h = t\ X h; 

16 return h; 
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2.5.2 Random factorizations 



For some applications of slcew polynomials, it could be interesting to have an algorithm that 
returns a factorization of a given skew polynomial P, following the uniform distribution on 
all factorizations of this skew polynomial. In this section, we describe such an algorithm. 

Since we do not want to simply list all factorizations of P and pick one randomly 
(because there can be so many factorizations, so this would have a very bad complexity), 
we want an algorithm that can simulate the uniform distribution on the right-factors of P. 
Let us first explain how to do this when P has type (e). 

Assume P has type (e) and norm A^*^, and let E = k°'[X'''']/{N). As usual, d = degN 
and q = 4^k" . Suppose that we know one irreducible right-factor Pq of P. This factor 
correponds to a E-\m.e in Dp = k[X , a] / k[X , a]P . The orbit of this line under the action 
of End^(L'p) is the set of all ii^-lines in Dp, corresponding to all irreducible right-divisors 
of P. We now want to find one element u G End^(Z)p) such that End^(Z)p) = E(u), so 
that in order to simulate the uniform distribution on the irreducible right-divisors of P, 
it is enough to simulate the uniform distribution on the polynomials of degree < e with 
coefficients in E and compute the image of our line under the action of M{u), where M 
is the polynomial that we get. Let us estimate the probability to find such a u. Since 
End^(Dp) ~ A4e{E), we want to know the probability that, for a fixed nonzero vector 
X & E^, an element u € A4e{E) admits an element of the line Ex as a cyclic vector. The 
number of n G M{E) that have this property is {q'^ — l){q^'^ — q'^) ■ ■ ■ (q'^^ — q'^^^~^^)- Hence 
the probability to find a u with the desired property is 



which is greater than 0.53 \^ ~ by |NP98| . Lemma 2.2 (applied to computing the value 

of the infinite product when q'^ = 4) . 

Once we know how to randomly get a divisor of a polynomial of type (e), the idea of 
the algorithm to get a random factorization of any skew polynomial P is the following: 
compute the type of P, and randomly choose an irreducible divisor Ni of M{P) (with 
uniform distribution). Compute Q = igcd{Ni, P) and randomly find a right-irreducible 
divisor Pi of Q with the previous algorithm. Let QiPi = Q. Compute the type of Qi- 
Keep the factor Pi with the same probability as the ratio of irreducible right- divisors of Q 
yielding a left-divisor of the type of Qi (this can be done counting the factorizations of Q 
and Qi, which depends only on their types). Write P = RPi and randomly factor R. By 
construction, it is clear that the factorization we get in the end is uniformly distributed 
among all factorizations of P. 

2.6 Implementation 

All algorithms presented in this article were implemented is SAGE. The source code is 
available on the CETHop website at the URL: 

http : / / cethop . math . cnrs . f r/docuinents/skew_polyiioinials- sage . tgz| 

A MAGMA package is also available; it includes some of the algorithms presented here (and, 
in particular, the factorization algorithm). It can be downloaded at the URL: 





http : / / cethop . math . cnrs . f r/ documents/ skew_polynomials . m 
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